@polygraphso/litmus 0.9.1 → 0.11.0

package/README.md

@@ -30,16 +30,28 @@ and the grade is capped at **B** for that run.
 ```bash
 polygraphso-litmus litmus <registry-ref | https-url | path-to-mcp>   # grade a server
 polygraphso-litmus litmus --json <ref>                              # machine-readable evidence bundle
+polygraphso-litmus litmus --timeout <seconds> <ref>                 # cap the whole run (default 900s)
 polygraphso-litmus check <ref>                                      # look up a published grade
 ```
 
 Examples:
 
 ```bash
-polygraphso-litmus litmus npm/@modelcontextprotocol/server-filesystem
+# a remote https target runs no local code — graded directly
 polygraphso-litmus litmus https://example.com/mcp
+
+# a registry ref or local file launches the TARGET's own code. Grade it sandboxed:
+LITMUS_STDIO_ISOLATION=docker polygraphso-litmus litmus npm/@modelcontextprotocol/server-filesystem
+# …or, without Docker, opt in to running it on this host:
+polygraphso-litmus litmus --unsafe-host-exec npm/@modelcontextprotocol/server-filesystem
 ```
 
+**Host-execution safety.** Grading a registry ref (`npm/…`, `pypi/…`) or a local
+path **launches the target's own code**. By default the CLI refuses to do that on
+your host: set `LITMUS_STDIO_ISOLATION=docker` to run the target only inside the
+hardened sandbox, or pass `--unsafe-host-exec` to accept host execution. Remote
+`https://` targets run no local code and need neither.
+
 The `litmus` command exits non-zero on a failing grade (D/F), so it scripts in CI.
 
 To dispute a published grade, just re-run `litmus` against the same server: the harness is
@@ -54,7 +66,9 @@ MCP-capable client. It exposes two tools:
   and return the grade and the evidence. Optional **`bearer`** (and `header`
   entries, each `"Key: Value"`) grade a token-gated `https://` MCP target — sent
   to that origin only, ignored for stdio/local targets, the same plumbing as the
-  CLI's `--bearer` / `--header`.
+  CLI's `--bearer` / `--header`. Grading a registry ref or local path launches the
+  target's own code, so it requires **`unsafe_host_exec: true`** unless
+  `LITMUS_STDIO_ISOLATION=docker` is set (the MCP mirror of `--unsafe-host-exec`).
 - **`verify_attestation`** — passively read a server's *already-published* grade
   before trusting or paying it.
 

package/dist/chunk-EMMCE3LC.js

@@ -0,0 +1,215 @@
+import {
+  CATEGORY_META,
+  canonicalStringify
+} from "./chunk-X3P26XGS.js";
+
+// ../cli/src/litmus.ts
+import { existsSync } from "fs";
+import { createRequire } from "module";
+import * as path from "path";
+
+// ../cli/src/format.ts
+function formatBundle(b) {
+  const lines = [];
+  lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
+  if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
+  lines.push("\u2192 checks");
+  const labelWidth = Math.max(0, ...b.categories.map((c) => CATEGORY_META[c.code].label.length));
+  for (const c of b.categories) {
+    const { label, description } = CATEGORY_META[c.code];
+    lines.push(`    ${c.code}  ${label.padEnd(labelWidth)}  ${c.status}`);
+    lines.push(`          ${description}`);
+  }
+  const c01 = b.categories.find((c) => c.code === "C-01");
+  if (c01?.status === "fail") {
+    const highs = c01.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high");
+    for (const f of highs.slice(0, 3)) {
+      lines.push(`   \u26A0 ${f.tool ?? "?"}: ${f.kind} \u2014 ${truncate(f.match, 64)}`);
+    }
+  }
+  lines.push(`\u2192 fingerprint ${shortFp(b.toolDefsFingerprint)}`);
+  lines.push(`\u2192 grade: ${b.grade}`);
+  lines.push(`   ${b.gradeRationale}`);
+  return lines.join("\n") + "\n";
+}
+function shortFp(fp) {
+  return fp.length > 14 ? `${fp.slice(0, 6)}\u2026${fp.slice(-4)}` : fp;
+}
+function truncate(s, n) {
+  return s.length > n ? `${s.slice(0, n)}\u2026` : s;
+}
+
+// ../cli/src/litmus.ts
+var DEFAULT_RUN_TIMEOUT_MS = 15 * 60 * 1e3;
+async function runLitmusCli(args) {
+  const json = args.includes("--json");
+  const { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals } = parseAuthFlags(args);
+  const target = positionals[0];
+  if (!target) {
+    process.stderr.write(
+      'usage: polygraphso litmus [--json] [--bearer <token>] [--header "Key: Value"] [--allow-state-changing] [--unsafe-host-exec] [--timeout <seconds>] <registry-ref | https-url | path-to-mcp>\n'
+    );
+    return 2;
+  }
+  const input = resolveTarget(target);
+  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
+  const interactive = Boolean(process.stdin.isTTY && process.stdout.isTTY);
+  const probes = await import("./src-4L5VHLRF.js");
+  const dockerAvailable = isStdio && interactive ? await probes.isDockerAvailable() : false;
+  const decision = checkHostExec(input, { optIn: unsafeHostExec, dockerAvailable, interactive });
+  if (decision.action === "refuse") {
+    process.stderr.write(`\u2192 litmus: ${decision.refuse}
+`);
+    return 2;
+  }
+  if (decision.action === "confirm" && !await promptYesNo(decision.prompt, decision.defaultYes)) {
+    process.stderr.write("\u2192 litmus: cancelled.\n");
+    return 2;
+  }
+  const isolation = decision.isolation;
+  if (decision.warn) process.stderr.write(`\u2192 ${decision.warn}
+`);
+  if (!json) process.stderr.write(`\u2192 running litmus against ${target} \u2026 (~20\u201360s)
+`);
+  const onProgress = (done, total, label) => {
+    if (!json) process.stderr.write(`  \u2192 [${done}/${total}] ${label}
+`);
+  };
+  try {
+    const bundle = await probes.runLitmus(input, {
+      headers,
+      allowStateChanging,
+      timeoutMs,
+      onProgress,
+      ...isolation ? { isolation } : {}
+    });
+    process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
+    return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
+  } catch (err) {
+    process.stderr.write(`\u2192 litmus failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 1;
+  }
+}
+async function promptYesNo(prompt, defaultYes) {
+  const { createInterface } = await import("readline/promises");
+  const rl = createInterface({ input: process.stdin, output: process.stderr });
+  try {
+    return isAffirmative(await rl.question(prompt), defaultYes);
+  } finally {
+    rl.close();
+  }
+}
+function parseAuthFlags(args, env = process.env) {
+  const headers = {};
+  const headerArgs = [];
+  let allowStateChanging = false;
+  let unsafeHostExec = false;
+  let timeoutMs = DEFAULT_RUN_TIMEOUT_MS;
+  let bearer = env.LITMUS_BEARER || void 0;
+  const positionals = [];
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "--json") continue;
+    if (a === "--allow-state-changing") {
+      allowStateChanging = true;
+    } else if (a === "--unsafe-host-exec") {
+      unsafeHostExec = true;
+    } else if (a === "--timeout") {
+      timeoutMs = timeoutSecondsToMs(args[++i]) ?? timeoutMs;
+    } else if (a.startsWith("--timeout=")) {
+      timeoutMs = timeoutSecondsToMs(a.slice("--timeout=".length)) ?? timeoutMs;
+    } else if (a === "--bearer") {
+      bearer = args[++i] ?? bearer;
+    } else if (a.startsWith("--bearer=")) {
+      bearer = a.slice("--bearer=".length);
+    } else if (a === "--header") {
+      const v = args[++i];
+      if (v) headerArgs.push(v);
+    } else if (a.startsWith("--header=")) {
+      headerArgs.push(a.slice("--header=".length));
+    } else if (a.startsWith("--")) {
+    } else {
+      positionals.push(a);
+    }
+  }
+  if (bearer) headers["Authorization"] = `Bearer ${bearer}`;
+  for (const h of headerArgs) {
+    const idx = h.indexOf(":");
+    if (idx === -1) continue;
+    const key = h.slice(0, idx).trim();
+    const value = h.slice(idx + 1).trim();
+    if (key) headers[key] = value;
+  }
+  return { headers, allowStateChanging, unsafeHostExec, timeoutMs, positionals };
+}
+function timeoutSecondsToMs(v) {
+  if (!v) return void 0;
+  const sec = Number(v);
+  return Number.isFinite(sec) && sec > 0 ? Math.floor(sec * 1e3) : void 0;
+}
+function checkHostExec(input, gate) {
+  const { optIn, dockerAvailable, interactive, optInHint = "--unsafe-host-exec", env = process.env } = gate;
+  const isStdio = typeof input !== "string" || !/^https?:\/\//i.test(input);
+  if (!isStdio) return { action: "allow" };
+  if (env.LITMUS_STDIO_ISOLATION === "docker") return { action: "allow", isolation: "docker" };
+  const why = "this launches the target's own code; without Docker isolation it runs on THIS host";
+  const warn = `\u26A0 unsafe host execution \u2014 ${why}.`;
+  if (optIn) return { action: "allow", isolation: "none", warn };
+  if (interactive) {
+    if (dockerAvailable) {
+      return {
+        action: "confirm",
+        isolation: "docker",
+        defaultYes: true,
+        prompt: "Docker detected \u2014 the target will run sandboxed (recommended). Proceed? [Y/n] "
+      };
+    }
+    return {
+      action: "confirm",
+      isolation: "none",
+      defaultYes: false,
+      prompt: `No Docker found \u2014 this would run the target's own code on THIS host, unsandboxed.
+  Type "yes" to proceed, or set LITMUS_STDIO_ISOLATION=docker to sandbox: `,
+      warn
+    };
+  }
+  return {
+    action: "refuse",
+    refuse: `refusing host execution \u2014 ${why}.
+  \u2022 sandboxed (recommended): set LITMUS_STDIO_ISOLATION=docker (requires Docker)
+  \u2022 accept the risk: re-run with ${optInHint}`
+  };
+}
+function isAffirmative(answer, defaultYes) {
+  const a = answer.trim().toLowerCase();
+  if (a === "") return defaultYes;
+  return a === "y" || a === "yes";
+}
+function resolveTarget(target) {
+  if (/^https?:\/\//i.test(target)) return target;
+  if (existsSync(target)) {
+    const abs = path.resolve(target);
+    if (abs.endsWith(".ts") || abs.endsWith(".mts") || abs.endsWith(".cts")) {
+      return { command: process.execPath, args: [tsxCli(), abs], serverRef: target };
+    }
+    return { command: process.execPath, args: [abs], serverRef: target };
+  }
+  return target;
+}
+function tsxCli() {
+  const require2 = createRequire(import.meta.url);
+  const pkgJsonPath = require2.resolve("tsx/package.json");
+  const dir = path.dirname(pkgJsonPath);
+  const bin = require2(pkgJsonPath).bin;
+  const rel = typeof bin === "string" ? bin : bin.tsx ?? "./dist/cli.mjs";
+  return path.join(dir, rel);
+}
+
+export {
+  DEFAULT_RUN_TIMEOUT_MS,
+  runLitmusCli,
+  parseAuthFlags,
+  checkHostExec,
+  resolveTarget
+};

package/dist/{chunk-RYJXVMCT.js → chunk-NPYDTMQ7.js}

@@ -3,7 +3,7 @@ import {
   METHODOLOGY_VERSION,
   parseServerRef,
   serverKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../probes/src/harness.ts
 import { execFile as execFile3 } from "child_process";
@@ -451,6 +451,10 @@ import { execFile as execFile2 } from "child_process";
 import { promisify } from "util";
 import { randomUUID as randomUUID3 } from "crypto";
 var execFileP = promisify(execFile2);
+var TARGET_STDERR = process.env.LITMUS_DEBUG ? "inherit" : "pipe";
+function discardStderr(transport) {
+  transport.stderr?.resume?.();
+}
 var CLIENT_INFO = { name: "polygraph-litmus", version: "0.0.0" };
 async function connectTarget(input, opts = {}) {
   const isolated = opts.isolation === "docker";
@@ -464,6 +468,7 @@ async function connectTarget(input, opts = {}) {
       command: input.command,
       args: input.args ?? [],
       env: { ...getDefaultEnvironment(), ...opts.seedEnv ?? {}, ...input.env ?? {} },
+      stderr: TARGET_STDERR,
       ...input.cwd ?? opts.seedCwd ? { cwd: input.cwd ?? opts.seedCwd } : {}
     });
     const cmdline = [input.command, ...input.args ?? []].join(" ");
@@ -497,6 +502,7 @@ async function connectTarget(input, opts = {}) {
     command: launch.command,
     args: launch.args,
     env: { ...getDefaultEnvironment(), ...opts.seedEnv ?? {} },
+    stderr: TARGET_STDERR,
     ...opts.seedCwd ? { cwd: opts.seedCwd } : {}
   });
   const client = await connectOrThrow(transport);
@@ -518,14 +524,14 @@ async function connectHostNpm(ref, parsed, opts) {
   const binNames = await fetchNpmBins(spec, parsed.name);
   if (!binNames || binNames.length === 0) {
     const args = ["-y", spec];
-    const transport = new StdioClientTransport({ command: "npx", args, env, ...cwd });
+    const transport = new StdioClientTransport({ command: "npx", args, env, stderr: TARGET_STDERR, ...cwd });
     const client = await connectOrThrow(transport);
     return makeResult(client, "stdio", { kind: "stdio", command: ["npx", ...args].join(" "), url: null }, serverRefVal, resolvedVersion, []);
   }
   const candidates = orderBinCandidates(binNames, parsed.name);
   const { result } = await probeForMcpBin(ref, candidates, async (bin) => {
     const args = ["-y", "-p", spec, bin];
-    const transport = new StdioClientTransport({ command: "npx", args, env, ...cwd });
+    const transport = new StdioClientTransport({ command: "npx", args, env, stderr: TARGET_STDERR, ...cwd });
     const client = await tryConnect(transport);
     return client ? { client, descriptor: { kind: "stdio", command: ["npx", ...args].join(" "), url: null } } : null;
   });
@@ -562,8 +568,9 @@ async function connectIsolatedNpm(ref, parsed, opts) {
       const transport = new StdioClientTransport({
         command: launch.command,
         args: namedArgs,
-        env: getDefaultEnvironment()
+        env: getDefaultEnvironment(),
         // default env only: no host secrets, no canaries
+        stderr: TARGET_STDERR
       });
       const client = await tryConnect(transport);
       if (!client) {
@@ -608,6 +615,7 @@ async function tryConnect(transport) {
   const client = new Client(CLIENT_INFO, { capabilities: {} });
   try {
     await withConnectTimeout(client.connect(transport), transport);
+    discardStderr(transport);
     return client;
   } catch {
     try {
@@ -620,6 +628,7 @@ async function tryConnect(transport) {
 async function connectOrThrow(transport) {
   const client = new Client(CLIENT_INFO, { capabilities: {} });
   await withConnectTimeout(client.connect(transport), transport);
+  discardStderr(transport);
   return client;
 }
 function makeResult(client, kind, descriptor, serverRef, resolvedVersion, teardownExtra) {
@@ -1536,12 +1545,14 @@ async function runEgressProbe(ref, opts) {
     if (staged) await staged.cleanup();
   }
 }
+async function exerciseSurface(client, exercise) {
+  for (const t of await enumerateTools(client)) {
+    await exercise({ name: t.name, description: t.description ?? "", inputSchema: t.inputSchema ?? null });
+  }
+}
 async function collectEgress(conn, sink, declaredEgress, baselineAllowlist) {
   try {
-    const { tools } = await conn.client.listTools();
-    for (const t of tools) {
-      await exerciseTool(conn.client, { name: t.name, description: t.description ?? "", inputSchema: t.inputSchema ?? null });
-    }
+    await exerciseSurface(conn.client, (def) => exerciseTool(conn.client, def));
   } finally {
     await conn.teardown();
   }
@@ -2025,7 +2036,7 @@ async function runLitmus(target, opts = {}) {
   const isolation = opts.isolation ?? (process.env.LITMUS_STDIO_ISOLATION === "docker" ? "docker" : "none");
   const ranAt = (/* @__PURE__ */ new Date()).toISOString();
   const baselineAllowlist = [...DEFAULT_EGRESS_BASELINE, ...parseAllowlistEnv(process.env.LITMUS_EGRESS_ALLOWLIST)];
-  const dockerAvailable = await checkDocker();
+  const dockerAvailable = await isDockerAvailable();
   const canaries = mintCanaries();
   const seedEnv = canaryEnv(canaries);
   const isHttp = typeof target === "string" && /^https?:\/\//i.test(target);
@@ -2167,7 +2178,7 @@ function withTimeout(p, ms, label) {
     })
   ]);
 }
-function checkDocker() {
+function isDockerAvailable() {
   return new Promise((resolve) => {
     const child = execFile3("docker", ["info"], { timeout: 4e3 }, (err) => resolve(!err));
     child.on("error", () => resolve(false));
@@ -2362,6 +2373,12 @@ function overBroadTrigger(description) {
 }
 
 // ../probes/src/skills/grade-skill.ts
+var SKILL_CATEGORY_META = {
+  "S-01": { label: "prompt injection / context poisoning", description: "whether the skill body tries to hijack the agent" },
+  "S-03": { label: "data-exfiltration instructions", description: "whether it instructs the agent to leak secrets" },
+  "S-04": { label: "dangerous bundled commands", description: "whether it ships dangerous executable commands" },
+  "S-05": { label: "tool / permission overreach", description: "whether it claims more capability than it needs" }
+};
 var DISQUALIFYING = /* @__PURE__ */ new Set(["S-01", "S-03"]);
 var CAPPING = /* @__PURE__ */ new Set(["S-04", "S-05"]);
 function gradeSkillCategories(categories) {
@@ -2626,6 +2643,8 @@ export {
   gradeFromCategories,
   assembleBundle,
   runLitmus,
+  enumerateTools,
+  isDockerAvailable,
   SkillLoadError,
   loadSkill,
   stripExamples,
@@ -2634,6 +2653,7 @@ export {
   exfilInstruction,
   dangerousCommand,
   overBroadTrigger,
+  SKILL_CATEGORY_META,
   gradeSkillCategories,
   SKILL_METHODOLOGY_VERSION,
   SKILL_BUNDLE_SCHEMA_VERSION,

package/dist/{chunk-Z66GKAQD.js → chunk-TK4EI66E.js}

@@ -1,22 +1,26 @@
 import {
+  DEFAULT_RUN_TIMEOUT_MS,
+  checkHostExec,
   parseAuthFlags,
   resolveTarget
-} from "./chunk-BUKDFSDO.js";
+} from "./chunk-EMMCE3LC.js";
 import {
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   runLitmus,
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-NPYDTMQ7.js";
 import {
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,
   parseServerRef,
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../onchain/src/networks.ts
 var NETWORKS = {
@@ -299,24 +303,37 @@ var RUN_LITMUS_TOOL_DESCRIPTION = [
 var runLitmusInputShape = {
   server_ref: z.string().min(1).max(512).describe("What to grade: a registry ref (npm/@scope/server), an https:// MCP URL, or a local path to an MCP entry file."),
   bearer: z.string().min(1).max(8192).optional().describe("Bearer token for a token-gated https:// MCP server. Sent as `Authorization: Bearer <token>` to the target origin only. Ignored for stdio/local targets."),
-  header: z.array(z.string()).max(20).optional().describe('Extra HTTP headers for a gated https:// target, each "Key: Value" (e.g. "X-Api-Key: \u2026"). Overrides the bearer-derived Authorization for the same key. Ignored for stdio/local targets.')
+  header: z.array(z.string()).max(20).optional().describe('Extra HTTP headers for a gated https:// target, each "Key: Value" (e.g. "X-Api-Key: \u2026"). Overrides the bearer-derived Authorization for the same key. Ignored for stdio/local targets.'),
+  unsafe_host_exec: z.boolean().optional().describe("Required to grade a registry ref or local path: it launches the target's own code, and without Docker isolation that runs on THIS host. Set true to accept host execution. Ignored for https:// targets or when LITMUS_STDIO_ISOLATION=docker."),
+  timeout_seconds: z.number().int().positive().max(3600).optional().describe("Aggregate wall-clock ceiling for the whole run, in seconds (default 900). Bounds a hostile server that stretches the run across many tools/probes.")
 };
 var PROGRESS_TOTAL = 5;
-async function handleRunLitmus({ server_ref, bearer, header }, extra) {
+async function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds }, extra) {
   try {
     const argv = [
       ...bearer ? ["--bearer", bearer] : [],
       ...(header ?? []).flatMap((h) => ["--header", h])
     ];
     const { headers } = parseAuthFlags(argv, {});
+    const input = resolveTarget(server_ref);
+    const decision = checkHostExec(input, {
+      optIn: unsafe_host_exec ?? false,
+      dockerAvailable: false,
+      interactive: false,
+      optInHint: 'set "unsafe_host_exec": true'
+    });
+    if (decision.action === "refuse") {
+      return { isError: true, content: [{ type: "text", text: `run_litmus refused: ${decision.refuse}` }] };
+    }
     const progressToken = extra._meta?.progressToken;
     const sendProgress = progressToken !== void 0 ? (progress, message) => void extra.sendNotification({
       method: "notifications/progress",
       params: { progressToken, progress, total: PROGRESS_TOTAL, message }
     }) : void 0;
     sendProgress?.(0, `Connecting to ${server_ref}\u2026`);
-    const bundle = await runLitmus(resolveTarget(server_ref), {
+    const bundle = await runLitmus(input, {
       ...Object.keys(headers).length ? { headers } : {},
+      timeoutMs: timeout_seconds ? timeout_seconds * 1e3 : DEFAULT_RUN_TIMEOUT_MS,
       ...sendProgress ? { onProgress: (done, _total, label) => sendProgress(done, label) } : {}
     });
     const payload = summarize(bundle);
@@ -326,18 +343,19 @@ async function handleRunLitmus({ server_ref, bearer, header }, extra) {
     return { isError: true, content: [{ type: "text", text: `run_litmus failed: ${message}` }] };
   }
 }
-var CATEGORY_LABEL = {
-  "C-01": "tool-output injection",
-  "C-02": "permission / egress overreach",
-  "C-03": "sensitive-data handling",
-  "C-04": "adversarial-input handling"
-};
 function summarize(b) {
   const find = (code) => b.categories.find((c) => c.code === code);
   const categories = ["C-01", "C-02", "C-03", "C-04"].map((code) => {
     const c = find(code);
     const findings = c?.status === "fail" ? c.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high").slice(0, 5).map((f) => ({ tool: f.tool, kind: f.kind, match: truncate(f.match, 120), host: f.host, port: f.port })) : [];
-    return { code, check: CATEGORY_LABEL[code], status: c?.status ?? "unknown", reason: c?.reason ?? null, findings };
+    return {
+      code,
+      check: CATEGORY_META[code].label,
+      description: CATEGORY_META[code].description,
+      status: c?.status ?? "unknown",
+      reason: c?.reason ?? null,
+      findings
+    };
   });
   return {
     grade: b.grade,
@@ -407,15 +425,11 @@ async function handleRunSkillLitmus({ skill_ref }, ctx = {}) {
 function errorResult(message) {
   return { isError: true, content: [{ type: "text", text: `run_skill_litmus failed: ${message}` }] };
 }
-var CATEGORY_LABEL2 = {
-  "S-01": "prompt injection / context poisoning",
-  "S-03": "data-exfiltration instructions",
-  "S-04": "dangerous bundled commands"
-};
 function summarize2(b) {
   const categories = b.categories.map((c) => ({
     code: c.code,
-    check: CATEGORY_LABEL2[c.code] ?? c.code,
+    check: SKILL_CATEGORY_META[c.code]?.label ?? c.code,
+    description: SKILL_CATEGORY_META[c.code]?.description ?? null,
     status: c.status,
     reason: c.reason ?? null,
     findings: c.status === "fail" ? c.findings.filter((f) => f.severity === "high").slice(0, 5).map((f) => ({ kind: f.kind, match: truncate2(f.match, 120), file: f.file })) : []

package/dist/{chunk-44R4ZYOE.js → chunk-X3P26XGS.js}

@@ -1,6 +1,12 @@
 // ../core/src/types.ts
 var METHODOLOGY_VERSION = "litmus-v5";
 var BUNDLE_SCHEMA_VERSION = "1.4.0";
+var CATEGORY_META = {
+  "C-01": { label: "tool-output injection", description: "whether it tries to hijack the caller through tool output" },
+  "C-02": { label: "permission / egress overreach", description: "whether it reaches the network beyond what it declares" },
+  "C-03": { label: "sensitive-data handling", description: "whether it leaks planted secrets it was handed" },
+  "C-04": { label: "adversarial-input handling", description: "whether it stays stable on malformed or hostile input" }
+};
 var CATEGORY_STATUS_UINT8 = {
   pass: 0,
   fail: 1,
@@ -174,6 +180,7 @@ function sortDeep(value, depth = 0) {
 export {
   METHODOLOGY_VERSION,
   BUNDLE_SCHEMA_VERSION,
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   ServerRefParseError,
   parseServerRef,

package/dist/cli-skill.js

@@ -1,31 +1,18 @@
 #!/usr/bin/env node
 import {
+  SKILL_CATEGORY_META,
   judgeFromEnv,
   runSkillLitmus,
   runSkillQuality,
   runSkillQualityJudged
-} from "./chunk-RYJXVMCT.js";
-import "./chunk-44R4ZYOE.js";
+} from "./chunk-NPYDTMQ7.js";
+import "./chunk-X3P26XGS.js";
 
 // src/cli-skill.ts
 import { statSync } from "fs";
-var HELP = `polygraphso-litmus-skill \u2014 static safety grades for Claude Code skills.
-
-usage:
-  polygraphso-litmus-skill [--json] <path-to-skill-dir>
-  polygraphso-litmus-skill --help
-
-The skill dir must contain a SKILL.md. The safety letter is a STATIC scan (no
-execution); an A means the static checks were clean, not that the skill is
-behaviorally safe.
 
-It also prints a separate, advisory quality signal. The optional LLM-judged
-axes (honesty, coherence) run only if you provide your own key \u2014 set
-LITMUS_LLM_API_KEY and LITMUS_LLM_MODEL (and LITMUS_LLM_BASE_URL for a non-OpenAI
-endpoint). Without a key only the deterministic well-formedness checks run.
-More at https://polygraph.so
-`;
-function render(b) {
+// src/format-skill.ts
+function formatSkillSafety(b) {
   const lines = [
     `grade: ${b.grade}  (${b.methodologyVersion})`,
     `${b.gradeRationale}`,
@@ -34,8 +21,11 @@ function render(b) {
     "",
     "categories:"
   ];
+  const labelWidth = Math.max(0, ...b.categories.map((c) => SKILL_CATEGORY_META[c.code].label.length));
   for (const c of b.categories) {
-    lines.push(`  ${c.code}  ${c.status}${c.reason ? `  (${c.reason})` : ""}`);
+    const { label, description } = SKILL_CATEGORY_META[c.code];
+    lines.push(`  ${c.code}  ${label.padEnd(labelWidth)}  ${c.status}${c.reason ? `  (${c.reason})` : ""}`);
+    lines.push(`        ${description}`);
     if (c.status === "fail") {
       for (const f of c.findings.filter((x) => x.severity === "high").slice(0, 5)) {
         lines.push(`      ! ${f.kind}${f.file ? ` [${f.file}]` : ""}: ${f.match}`);
@@ -51,6 +41,24 @@ function render(b) {
   lines.push("", b.disclaimer);
   return lines.join("\n") + "\n";
 }
+
+// src/cli-skill.ts
+var HELP = `polygraphso-litmus-skill \u2014 static safety grades for Claude Code skills.
+
+usage:
+  polygraphso-litmus-skill [--json] <path-to-skill-dir>
+  polygraphso-litmus-skill --help
+
+The skill dir must contain a SKILL.md. The safety letter is a STATIC scan (no
+execution); an A means the static checks were clean, not that the skill is
+behaviorally safe.
+
+It also prints a separate, advisory quality signal. The optional LLM-judged
+axes (honesty, coherence) run only if you provide your own key \u2014 set
+LITMUS_LLM_API_KEY and LITMUS_LLM_MODEL (and LITMUS_LLM_BASE_URL for a non-OpenAI
+endpoint). Without a key only the deterministic well-formedness checks run.
+More at https://polygraph.so
+`;
 function renderQuality(q) {
   const lines = ["", `quality (advisory, separate from the grade): ${q.verdict}`];
   for (const c of q.checks) lines.push(`  ${c.status === "pass" ? "\xB7" : "!"} ${c.id}: ${c.detail}`);
@@ -87,7 +95,7 @@ async function main(argv) {
   const judge = judgeFromEnv();
   const quality = judge ? await runSkillQualityJudged(target, judge, { skillRef: target }) : runSkillQuality(target, { skillRef: target });
   process.stdout.write(
-    json ? JSON.stringify({ safety, quality }, null, 2) + "\n" : render(safety) + renderQuality(quality)
+    json ? JSON.stringify({ safety, quality }, null, 2) + "\n" : formatSkillSafety(safety) + renderQuality(quality)
   );
   return 0;
 }

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import {
   runLitmusCli
-} from "./chunk-BUKDFSDO.js";
+} from "./chunk-EMMCE3LC.js";
 import {
   parseServerRef,
   serverKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // src/cli.ts
 import { readFileSync } from "fs";

package/dist/index.d.ts

@@ -37,6 +37,15 @@ declare const METHODOLOGY_VERSION: "litmus-v5";
  *  `harness.stdioIsolation`; older remain valid. */
 declare const BUNDLE_SCHEMA_VERSION: "1.4.0";
 type CategoryCode = "C-01" | "C-02" | "C-03" | "C-04";
+/**
+ * Plain-English label + one-line description for each probe category, so CLI and
+ * MCP output is legible without knowing the probe IDs. The single source of these
+ * strings — both renderers and the MCP `run_litmus` summary read from here.
+ */
+declare const CATEGORY_META: Record<CategoryCode, {
+    label: string;
+    description: string;
+}>;
 /** Probe IDs carry their family number (1=injection, 2=permission,
  *  3=adversarial-input, 4=sensitive). 1.3 (second-order injection) added in v5. */
 type ProbeId = "1.1" | "1.2" | "1.3" | "2.1" | "2.2" | "3.1" | "3.2" | "4.1" | "4.2";
@@ -323,6 +332,38 @@ interface RunLitmusOptions {
     onProgress?: (done: number, total: number, label: string) => void;
 }
 declare function runLitmus(target: TargetInput, opts?: RunLitmusOptions): Promise<EvidenceBundle>;
+/** The fields of a `tools/list` entry the harness reads. */
+interface ListedTool {
+    name: string;
+    description?: string;
+    inputSchema?: unknown;
+    annotations?: unknown;
+}
+interface ListToolsClient {
+    listTools(params?: {
+        cursor?: string;
+    }): Promise<{
+        tools?: ListedTool[];
+        nextCursor?: string;
+    }>;
+}
+/**
+ * Follow `tools/list` pagination to the end, accumulating the full tool surface.
+ * The MCP SDK's `listTools()` returns a single page and does not auto-paginate,
+ * so a server can park a tool (e.g. `transfer_funds`) or a poisoned description
+ * behind a `nextCursor` — invisible to a one-page lister, yet served to a real
+ * agent. We enumerate every page so the fingerprint and grade cover what the
+ * agent actually gets, and **fail closed**: if the server is still paginating
+ * past the gradable cap, we refuse rather than grade a partial surface.
+ */
+declare function enumerateTools(client: ListToolsClient, opts?: {
+    maxTools?: number;
+    maxBytes?: number;
+    listTimeoutMs?: number;
+}): Promise<ListedTool[]>;
+/** True if a Docker daemon is reachable (governs C-02 / probe 4.2, and the CLI's
+ *  detect-and-confirm sandbox prompt). */
+declare function isDockerAvailable(): Promise<boolean>;
 
 /**
  * Tool-surface fingerprint (litmus-test-v1 §6, technical-design §3).
@@ -441,6 +482,15 @@ declare function hasHighSeverity(findings: readonly Finding[]): boolean;
  */
 
 type SkillCategoryCode = "S-01" | "S-03" | "S-04" | "S-05";
+/**
+ * Plain-English label + one-line description for each skill category, so the skill
+ * CLI/MCP output is legible without knowing the S-codes. The single source of these
+ * strings — both the renderer and the MCP `run_skill_litmus` summary read from here.
+ */
+declare const SKILL_CATEGORY_META: Record<SkillCategoryCode, {
+    label: string;
+    description: string;
+}>;
 interface SkillCategoryResult {
     code: SkillCategoryCode;
     status: CategoryStatus;
@@ -961,23 +1011,27 @@ declare const runLitmusInputShape: {
     server_ref: z.ZodString;
     bearer: z.ZodOptional<z.ZodString>;
     header: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    unsafe_host_exec: z.ZodOptional<z.ZodBoolean>;
+    timeout_seconds: z.ZodOptional<z.ZodNumber>;
 };
-declare function handleRunLitmus({ server_ref, bearer, header }: {
+declare function handleRunLitmus({ server_ref, bearer, header, unsafe_host_exec, timeout_seconds }: {
     server_ref: string;
     bearer?: string;
     header?: string[];
+    unsafe_host_exec?: boolean;
+    timeout_seconds?: number;
 }, extra: RequestHandlerExtra<ServerRequest, ServerNotification>): Promise<{
+    isError: true;
     content: {
         type: "text";
         text: string;
     }[];
-    isError?: undefined;
 } | {
-    isError: true;
     content: {
         type: "text";
         text: string;
     }[];
+    isError?: undefined;
 }>;
 
 /**
@@ -1057,6 +1111,10 @@ interface ParsedLitmusFlags {
     headers: Record<string, string>;
     /** Whether to actively call state-changing tools (opt-in). */
     allowStateChanging: boolean;
+    /** Opt-in to run a stdio target's code on the host without Docker isolation. */
+    unsafeHostExec: boolean;
+    /** Aggregate wall-clock ceiling (ms) — `--timeout <seconds>`, else the default. */
+    timeoutMs: number;
     /** Non-flag arguments, in order (positionals[0] is the target). */
     positionals: string[];
 }
@@ -1072,4 +1130,4 @@ declare function parseAuthFlags(args: readonly string[], env?: NodeJS.ProcessEnv
 /** A target is an https URL, a local MCP entry file, or a registry ref. */
 declare function resolveTarget(target: string): string | StdioCommand;
 
-export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };
+export { type AttestationView, BUNDLE_SCHEMA_VERSION, type BundleInput, CATEGORY_META, CATEGORY_STATUS_UINT8, type CategoryCode, type CategoryResult, type CategoryStatus, type ConnectOptions, type ConnectedTarget, DEFAULT_PASSING, type EvidenceBundle, type Finding, type FindingKind, type FingerprintResult, type GateAction, type GateDecision, type Grade, type HarnessInfo, type Judge, type JudgeOptions, type JudgedQuality, LITMUS_SCHEMA, LITMUS_SKILL_SCHEMA, type ListToolsClient, type LitmusAttestationFields, type LitmusGrade, type RunLitmusOptions as LitmusOptions, type LoadedSkill, METHODOLOGY_VERSION, NETWORKS, type Network, type NetworkConfig, type OnchainLitmusAttestation, type OnchainSkillAttestation, type OpenAICompatConfig, type ParsedLitmusFlags, type ParsedServerRef, type ParsedSkillRef, type ProbeContext, type ProbeId, type ProbeResult, type ProbeStatus, type QualityBundle, type QualityCheck, type QualityCheckStatus, type QualityVerdict, RUN_LITMUS_TOOL_DESCRIPTION, RUN_LITMUS_TOOL_NAME, RUN_LITMUS_TOOL_TITLE, RUN_SKILL_LITMUS_TOOL_DESCRIPTION, RUN_SKILL_LITMUS_TOOL_NAME, RUN_SKILL_LITMUS_TOOL_TITLE, type Registry, type RunLitmusOptions, type RunSkillLitmusOptions, type RunSkillQualityOptions, SKILL_BUNDLE_SCHEMA_VERSION, SKILL_CATEGORY_META, SKILL_METHODOLOGY_VERSION, SKILL_QUALITY_VERSION, ServerRefParseError, type Severity, type SkillAttestationFields, type SkillCategoryCode, type SkillCategoryResult, type SkillEvidenceBundle, type SkillFile, type SkillGrade, type SkillGradeForAttestation, SkillLoadError, SkillRefParseError, type SkillSource, type StdioCommand, type TargetDescriptor, type TargetInput, type TargetKind, type ToolAnnotations, type ToolDef, type ToolSafety, VERIFY_SKILL_TOOL_DESCRIPTION, VERIFY_SKILL_TOOL_NAME, VERIFY_SKILL_TOOL_TITLE, assembleBundle, canaryMatch, canonicalStringify, classifyTool, connectTarget, dangerousCommand, decodeLitmusAttestation, decodeSkillAttestation, encodeLitmusAttestation, encodeSkillAttestation, encodeSkillAttestationFields, enumerateTools, exfilInstruction, fingerprintToolDefs, formatServerRef, formatSkillRef, gateDecision, gradeFromCategories, gradeSkillCategories, handleRunLitmus, handleRunSkillLitmus, handleVerifySkill, hasHighSeverity, instructionMimicry, internalsLeak, invisibleUnicode, isDockerAvailable, judgeFromEnv, judgeSkillQuality, litmusFields, litmusSchemaUID, liveFingerprint, loadSkill, markdownTricks, networkConfig, openAICompatJudge, overBroadTrigger, parseAuthFlags, parseServerRef, parseSkillRef, readAttestation, readSkillAttestation, resolveTarget, rpcUrl, runLitmus, runLitmusInputShape, runSkillLitmus, runSkillLitmusInputShape, runSkillQuality, runSkillQualityJudged, selectedNetwork, serverKey, skillAttestationFields, skillInjection, skillInjectionFails, skillKey, skillSchemaUID, stateChangingToolNames, stripExamples, verifySkillInputShape };

package/dist/index.js

@@ -31,13 +31,14 @@ import {
   skillAttestationFields,
   skillSchemaUID,
   verifySkillInputShape
-} from "./chunk-Z66GKAQD.js";
+} from "./chunk-TK4EI66E.js";
 import {
   parseAuthFlags,
   resolveTarget
-} from "./chunk-BUKDFSDO.js";
+} from "./chunk-EMMCE3LC.js";
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   SkillLoadError,
@@ -46,6 +47,7 @@ import {
   classifyTool,
   connectTarget,
   dangerousCommand,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,
@@ -54,6 +56,7 @@ import {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   loadSkill,
@@ -68,9 +71,10 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-RYJXVMCT.js";
+} from "./chunk-NPYDTMQ7.js";
 import {
   BUNDLE_SCHEMA_VERSION,
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   METHODOLOGY_VERSION,
   ServerRefParseError,
@@ -82,7 +86,7 @@ import {
   parseSkillRef,
   serverKey,
   skillKey
-} from "./chunk-44R4ZYOE.js";
+} from "./chunk-X3P26XGS.js";
 
 // ../agent/src/gate.ts
 function sameServer(a, b) {
@@ -112,22 +116,25 @@ function gateDecision(attestation, live, passing = DEFAULT_PASSING, now = BigInt
   const versionNote = attestation.resolvedVersion ? ` (graded version ${attestation.resolvedVersion})` : "";
   return { action: "pay", reason: `grade ${attestation.overallGrade}; live fingerprint matches${versionNote}` };
 }
+async function fingerprintLiveSurface(client) {
+  const defs = (await enumerateTools(client)).map((t) => ({
+    name: t.name,
+    description: t.description ?? "",
+    inputSchema: t.inputSchema ?? null
+  }));
+  return fingerprintToolDefs(defs).fingerprint;
+}
 async function liveFingerprint(target) {
   const conn = await connectTarget(target);
   try {
-    const { tools } = await conn.client.listTools();
-    const defs = (tools ?? []).map((t) => ({
-      name: t.name,
-      description: t.description ?? "",
-      inputSchema: t.inputSchema ?? null
-    }));
-    return { fingerprint: fingerprintToolDefs(defs).fingerprint, serverRef: conn.serverRef };
+    return { fingerprint: await fingerprintLiveSurface(conn.client), serverRef: conn.serverRef };
   } finally {
     await conn.teardown();
   }
 }
 export {
   BUNDLE_SCHEMA_VERSION,
+  CATEGORY_META,
   CATEGORY_STATUS_UINT8,
   DEFAULT_PASSING,
   LITMUS_SCHEMA,
@@ -141,6 +148,7 @@ export {
   RUN_SKILL_LITMUS_TOOL_NAME,
   RUN_SKILL_LITMUS_TOOL_TITLE,
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   ServerRefParseError,
@@ -160,6 +168,7 @@ export {
   encodeLitmusAttestation,
   encodeSkillAttestation,
   encodeSkillAttestationFields,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   formatServerRef,
@@ -174,6 +183,7 @@ export {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   litmusFields,

package/dist/mcp.js

@@ -20,12 +20,12 @@ import {
   runSkillLitmusInputShape,
   verifyInputShape,
   verifySkillInputShape
-} from "./chunk-Z66GKAQD.js";
-import "./chunk-BUKDFSDO.js";
+} from "./chunk-TK4EI66E.js";
+import "./chunk-EMMCE3LC.js";
 import {
   judgeFromEnv
-} from "./chunk-RYJXVMCT.js";
-import "./chunk-44R4ZYOE.js";
+} from "./chunk-NPYDTMQ7.js";
+import "./chunk-X3P26XGS.js";
 
 // src/mcp.ts
 import { realpathSync } from "fs";

package/dist/{src-TMJOIVGB.js → src-4L5VHLRF.js}

@@ -1,5 +1,6 @@
 import {
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   SkillLoadError,
@@ -8,6 +9,7 @@ import {
   classifyTool,
   connectTarget,
   dangerousCommand,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,
@@ -16,6 +18,7 @@ import {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   loadSkill,
@@ -30,10 +33,11 @@ import {
   skillInjectionFails,
   stateChangingToolNames,
   stripExamples
-} from "./chunk-RYJXVMCT.js";
-import "./chunk-44R4ZYOE.js";
+} from "./chunk-NPYDTMQ7.js";
+import "./chunk-X3P26XGS.js";
 export {
   SKILL_BUNDLE_SCHEMA_VERSION,
+  SKILL_CATEGORY_META,
   SKILL_METHODOLOGY_VERSION,
   SKILL_QUALITY_VERSION,
   SkillLoadError,
@@ -42,6 +46,7 @@ export {
   classifyTool,
   connectTarget,
   dangerousCommand,
+  enumerateTools,
   exfilInstruction,
   fingerprintToolDefs,
   gradeFromCategories,
@@ -50,6 +55,7 @@ export {
   instructionMimicry,
   internalsLeak,
   invisibleUnicode,
+  isDockerAvailable,
   judgeFromEnv,
   judgeSkillQuality,
   loadSkill,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@polygraphso/litmus",
-  "version": "0.9.1",
+  "version": "0.11.0",
   "description": "Behavioral litmus harness for MCP servers — grade a server A–F (tool-output injection, egress, sensitive-data, adversarial-input) with reproducible, content-addressed evidence. Ships a CLI and an MCP server with a run_litmus tool for AI agents.",
   "license": "Apache-2.0",
   "homepage": "https://polygraph.so",
@@ -65,9 +65,9 @@
     "@polygraph/core": "0.0.0",
     "@polygraph/onchain": "0.0.0",
     "@polygraph/agent": "0.0.0",
-    "@polygraph/probes": "0.0.0",
+    "@polygraph/mcp": "0.0.0",
     "@polygraph/cli": "0.0.0",
-    "@polygraph/mcp": "0.0.0"
+    "@polygraph/probes": "0.0.0"
   },
   "publishConfig": {
     "access": "public"

package/dist/chunk-BUKDFSDO.js

@@ -1,118 +0,0 @@
-import {
-  canonicalStringify
-} from "./chunk-44R4ZYOE.js";
-
-// ../cli/src/litmus.ts
-import { existsSync } from "fs";
-import { createRequire } from "module";
-import * as path from "path";
-
-// ../cli/src/format.ts
-function formatBundle(b) {
-  const status = (code) => b.categories.find((c) => c.code === code)?.status ?? "?";
-  const lines = [];
-  lines.push(`\u2192 ${b.methodologyVersion} \xB7 ${b.serverRef}`);
-  if (b.resolvedVersion) lines.push(`\u2192 version ${b.resolvedVersion}`);
-  lines.push(`\u2192 C-01 ${status("C-01")} \xB7 C-02 ${status("C-02")} \xB7 C-03 ${status("C-03")} \xB7 C-04 ${status("C-04")}`);
-  const c01 = b.categories.find((c) => c.code === "C-01");
-  if (c01?.status === "fail") {
-    const highs = c01.probes.flatMap((p) => p.findings).filter((f) => f.severity === "high");
-    for (const f of highs.slice(0, 3)) {
-      lines.push(`   \u26A0 ${f.tool ?? "?"}: ${f.kind} \u2014 ${truncate(f.match, 64)}`);
-    }
-  }
-  lines.push(`\u2192 fingerprint ${shortFp(b.toolDefsFingerprint)}`);
-  lines.push(`\u2192 grade: ${b.grade}`);
-  lines.push(`   ${b.gradeRationale}`);
-  return lines.join("\n") + "\n";
-}
-function shortFp(fp) {
-  return fp.length > 14 ? `${fp.slice(0, 6)}\u2026${fp.slice(-4)}` : fp;
-}
-function truncate(s, n) {
-  return s.length > n ? `${s.slice(0, n)}\u2026` : s;
-}
-
-// ../cli/src/litmus.ts
-async function runLitmusCli(args) {
-  const json = args.includes("--json");
-  const { headers, allowStateChanging, positionals } = parseAuthFlags(args);
-  const target = positionals[0];
-  if (!target) {
-    process.stderr.write(
-      'usage: polygraphso litmus [--json] [--bearer <token>] [--header "Key: Value"] [--allow-state-changing] <registry-ref | https-url | path-to-mcp>\n'
-    );
-    return 2;
-  }
-  const { runLitmus } = await import("./src-TMJOIVGB.js");
-  const input = resolveTarget(target);
-  try {
-    const bundle = await runLitmus(input, { headers, allowStateChanging });
-    process.stdout.write(json ? canonicalStringify(bundle) + "\n" : formatBundle(bundle));
-    return bundle.grade === "D" || bundle.grade === "F" ? 1 : 0;
-  } catch (err) {
-    process.stderr.write(`\u2192 litmus failed: ${err instanceof Error ? err.message : String(err)}
-`);
-    return 1;
-  }
-}
-function parseAuthFlags(args, env = process.env) {
-  const headers = {};
-  const headerArgs = [];
-  let allowStateChanging = false;
-  let bearer = env.LITMUS_BEARER || void 0;
-  const positionals = [];
-  for (let i = 0; i < args.length; i++) {
-    const a = args[i];
-    if (a === "--json") continue;
-    if (a === "--allow-state-changing") {
-      allowStateChanging = true;
-    } else if (a === "--bearer") {
-      bearer = args[++i] ?? bearer;
-    } else if (a.startsWith("--bearer=")) {
-      bearer = a.slice("--bearer=".length);
-    } else if (a === "--header") {
-      const v = args[++i];
-      if (v) headerArgs.push(v);
-    } else if (a.startsWith("--header=")) {
-      headerArgs.push(a.slice("--header=".length));
-    } else if (a.startsWith("--")) {
-    } else {
-      positionals.push(a);
-    }
-  }
-  if (bearer) headers["Authorization"] = `Bearer ${bearer}`;
-  for (const h of headerArgs) {
-    const idx = h.indexOf(":");
-    if (idx === -1) continue;
-    const key = h.slice(0, idx).trim();
-    const value = h.slice(idx + 1).trim();
-    if (key) headers[key] = value;
-  }
-  return { headers, allowStateChanging, positionals };
-}
-function resolveTarget(target) {
-  if (/^https?:\/\//i.test(target)) return target;
-  if (existsSync(target)) {
-    const abs = path.resolve(target);
-    if (abs.endsWith(".ts") || abs.endsWith(".mts") || abs.endsWith(".cts")) {
-      return { command: process.execPath, args: [tsxCli(), abs], serverRef: target };
-    }
-    return { command: process.execPath, args: [abs], serverRef: target };
-  }
-  return target;
-}
-function tsxCli() {
-  const require2 = createRequire(import.meta.url);
-  const pkgJsonPath = require2.resolve("tsx/package.json");
-  const dir = path.dirname(pkgJsonPath);
-  const bin = require2(pkgJsonPath).bin;
-  const rel = typeof bin === "string" ? bin : bin.tsx ?? "./dist/cli.mjs";
-  return path.join(dir, rel);
-}
-
-export {
-  runLitmusCli,
-  parseAuthFlags,
-  resolveTarget
-};